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Abstract. We describe an automated technique for assume-guarantee 
style checking of strong simulation between a system and a specifica- 
tion, both expressed as non-deterministic Labeled Probabilistic Transi- 
tion Systems (LPTSes). We first characterize counterexamples to strong 
simulation as stochastic trees and show that simpler structures are insuf- 
ficient. Then, we use these trees in an abstraction refinement algorithm 
that computes the assumptions for assume-guarantee reasoning as con- 
servative LPTS abstractions of some of the system components. The 
abstractions are automatically refined based on tree counterexamples 
obtained from failed simulation checks with the remaining components. 
We have implemented the algorithms for counterexample generation and 
assume-guarantee abstraction refinement and report encouraging results. 



1 Introduction 

Probabilistic systems are increasingly used for the formal modeling and analysis 
of a wide variety of systems ranging from randomized communication and se- 
curity protocols to nanoscale computers and biological processes. Probabilistic 
model checking is an automatic technique for the verification of such systems 
against formal specifications [2]. However, as in the classical non-probabilistic 
case [7] , it suffers from the state explosion problem, where the state space of a 
concurrent system grows exponentially in the number of its components. 

Assume-guarantee style compositional techniques [TB] address this problem 
by decomposing the verification of a system into that of its smaller components 
and composing back the results, without verifying the whole system directly. 
When checking individual components, the method uses assumptions about the 
components' environments and then, discharges them on the rest of the system. 
For a system of two components, such reasoning is captured by the following 
simple assume-guarantee rule. 
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Here L\ and L 2 are system components, P is a specification to be satisfied 
by the composite system and A is an assumption on Li's environment, to be 
discharged on L 2 . Several other such rules have been proposed, some of them 
involving symmetric [TH] or circular [8119116] reasoning. Despite its simplicity, 
rule ASym has been proven the most effective in practice and studied exten- 
sively [1914111] . mostly in the context of non-probabilistic reasoning. 

We consider here the automated assume-guarantee style compositional veri- 
fication of Labeled Probabilistic Transition Systems (LPTSes), whose transitions 
have both probabilistic and non-deterministic behavior. The verification is per- 
formed using the rule ASym where L\, L 2 , A and P are LPTSes and the con- 
formance relation ^ is instantiated with strong simulation [20) . We chose strong 
simulation for the following reasons. Strong simulation is a decidable, well studied 
relation between specifications and implementations, both for non-probabilistic 
[T7] and probabilistic [2U] systems. A method to help scale such a check is of a 
natural interest. Furthermore, rule ASym is both sound and complete for this 
relation. Completeness is obtained trivially by replacing A with L 2 but is essen- 
tial for full automation (see Section [5]) • One can argue that strong simulation is 
too fine a relation to yield suitably small assumptions. However, previous suc- 
cess in using strong simulation in non-probabilistic compositional verification [5] 
motivated us to consider it in a probabilistic setting as well. And we shall see 
that indeed we can obtain small assumptions for the examples we consider while 
achieving savings in time and memory (see Section |6|) . 

The main challenge in automating assume-guarantee reasoning is to come 
up with such small assumptions satisfying the premises. In the non-probabilistic 
case, solutions to this problem have been proposed which use either automata 
learning techniques |19|4j or abstraction refinement !T2] and several improve- 
ments and optimizations followed. For probabilistic systems, techniques using 
automata learning have been proposed. They target probabilistic reachability 
checking and are not guaranteed to terminate due to incompleteness of the 
assume-guarantee rules [11] or to the undecidability of the conformance rela- 
tion and learning algorithms used |10) . 

In this paper we propose a complete, fully automatic framework for the com- 
positional verification of LPTSes with respect to simulation conformance. One 
fundamental ingredient of the framework is the use of counterexamples (from 
failed simulation checks) to iteratively refine inferred assumptions. Counterex- 
amples are also extremely useful in general to help with debugging of discovered 
errors. However, to the best of our knowledge, the notion of a counterexample 
has not been previously formalized for strong simulation between probabilistic 
systems. As our first contribution we give a characterization of counterexamples 
to strong simulation as stochastic trees and an algorithm to compute them; we 
also show that simpler structures are insufficient in general (Section [3]) . 
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We then propose an assume-guarantee abstraction-refinement (AGAR) algo- 
rithm (Section [5]) to automatically build the assumptions used in compositional 
reasoning. The algorithm follows previous work [12] which, however, was done 
in a non-probabilistic, trace-based setting. In our approach, A is maintained as 
a conservative abstraction of L2, i.e. an LPTS that simulates L2 (hence, premise 
2 holds by construction), and is iteratively refined based on tree counterexam- 
ples obtained from checking premise 1. The iterative process is guaranteed to 
terminate, with the number of iterations bounded by the number of states in 
L2. When L2 itself is composed of multiple components, the second premise 
(L2 -< A) is viewed as a new compositional check, generalizing the approach to 
n > 2 components. AGAR can be further applied to the case where the specifi- 
cation P is instantiated with a formula of a logic preserved by strong simulation, 
such as sa/e-pCTL. 

We have implemented the algorithms for counterexample generation and for 
AGAR using Java™ and Yices [5] and show experimentally that AGAR can 
achieve significantly better performance than non-compositional verification. 

Other Related Work. Counterexamples to strong simulation have been char- 
acterized before as tree-shaped structures for the case of non-probabilistic sys- 
tems [5_. which we generalize to stochastic trees in Section [3] for the probabilistic 
case. Tree counterexamples have also been used in the context of a composi- 
tional framework that uses rule ASym for checking strong simulation in the 
non-probabilistic case [4] and employs tree-automata learning to build deter- 
ministic assumptions. 

AGAR is a variant of the well-known CounterExample Guided Abstraction 
Refinement (CEGAR) approach [BJ. CEGAR has been adapted to probabilistic 
systems, in the context of probabilistic reachability [13] and safe-pCTL [3]. The 
CEGAR approach we describe in Section [4] is an adaptation of the latter. Both 
these works consider abstraction refinement in a monolithic, non-compositional 
setting. On the other hand, AGAR uses counterexamples from checking one 
component to refine the abstraction of another component. 

2 Preliminaries 

Labeled Probabilistic Transition Systems. Let S be a non-empty set. 
Dist(S) is defined to be the set of discrete probability distributions over S. We 
assume that all the probabilities specified explicitly in a distribution are ratio- 
nals in [0, 1]; there is no unique representation for all real numbers on a computer 
and floating-point numbers are essentially rationals. For s 6 S, S s is the Dirac 
distribution on s, i.e. S s (s) — 1 and S s (t) = for all t ^ s. For fj, e Dist(S), the 
support of /Lt, denoted Supp(n), is defined to be the set {s € S\[i(s) > 0} and for 
TCS, /x(T) stands for X^seT m( s )- The models we consider, defined below, have 
both probabilistic and non-deterministic behavior. Thus, there can be a non- 
deterministic choice between two probability distributions, even for the same 
action. Such modeling is mainly used for underspecification and moreover, the 
abstractions we consider (see Definition [8|) naturally have this non-determinism. 
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Fig. 1: Four reactive and fully-probabilistic LPTSes. 



As we see below, the theory described does not become any simpler by disallow- 
ing non-deterministic choice for a given action (Lemmas |4] and [5]) . 

Definition 1 (LPTS). A Labeled Probabilistic Transition System (LPTS) is 
a tuple (S, s°,a,r) where S is a set of states, s° G S is a distinguished start 
state, a is a set of actions and r C S x a x Dist(S') is a probabilistic transition 
relation. For s £ S, a G a and /i G Dist(S'), we denote (s,a,/i) G t by s /i 
and say that s has a transition on a to [i. 

An LPTS is called reactive if t is a partial function from S x a to Dist(S*) 
(i.e. at most one transition on a given action from a given state) and fully- 
probabilistic if t is a partial function from S to a x Dist(S') {i.e. at most one 
transition from a given state) . 

Figure Q] illustrates LPTSes. Throughout this paper, we use filled circles to 
denote start states in the pictorial representations of LTPSes. For the distribu- 
tion fi = {(si, 0.1), (s2, 0.9)}, Li in the figure has the transition s\ output ) ^_ All 
the LPTSes in the figure are reactive as no state has more than one transition 
on a given action. They are also fully-probabilistic as no state has more than 
one transition. In the literature, an LPTS is also called a simple probabilistic 
automaton [20]. Similarly, a reactive (fully-probabilistic) LPTS is also called a 
(Labeled) Markov Decision Process [Markov Chain). Also, note that an LPTS 
with all the distributions restricted to Dirac distributions is the classical (non- 
probabilistic) Labeled Transition System (LTS); thus a reactive LTS corresponds 
to the standard notion of a deterministic LTS. For example, L\ in Figure Q] is 
a reactive (or deterministic) LTS. We only consider finite state, finite alphabet 
and finitely branching (i.e. finitely many transitions from any state) LPTSes. 

We are also interested in LPTSes with a tree structure, i. e. the start state is 
not in the support of any distribution and every other state is in the support of 
exactly one distribution. We call such LPTSes stochastic trees or simply, trees. 

We use (S l ,s°,a l ,T l ) for an LPTS L % and (S L , s° L ,a L ,T L ) for an LPTS L. 
The following notation is used in Section [5l 

Notation 1 For an LPTS L and an alphabet a with C a, L a stands for the 
LPTS (S L ,s° L ,a,T L ). 

Let L\ and L2 be two LPTSes and /ii G Dist(Si), /12 G Dist(S2). 

Definition 2 (Product [20j ) . The product of [i\ and /12, denoted \x\ ® /12, is 
a distribution in Dist(Si x S2), such that fit® ^2- {s\,S2) i-4 /ii(si) • ^{si). 
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Fig. 2: Explaining fii \Z R pi 2 by means of splitting (indicated by arrows) and matching 
(indicated by solid lines) the probabilities. 

Definition 3 (Composition |20j). The parallel composition of L\ and L2, 
denoted L\ || L-x, is defined as the LPTS {Si x S2, (s°, sSj), oti Ua2,T) where 
((si,s 2 ),a,/i) iff 

1. Si A Mi; s 2 — > M2 and [i = or 

2. si A Mi j a a 2 an d M — Mi ® ; or 
5. a ^ ct\, S2 A*2 a«rf ^ — 5 Sl ® m^- 

For example, in Figure [TJ i is the composition of Li and £2- 

Strong Simulation. For two LTSes, a pair of states belonging to a strong 
simulation relation depends on whether certain other pairs of successor states 
also belong to the relation [17]. For LPTSes, one has successor distributions 
instead of successor states; a pair of states belonging to a strong simulation 
relation R should now depend on whether certain other pairs in the supports 
of the successor distributions also belong to R. Therefore we define a binary 
relation on distributions, Cr, which depends on the relation R between states. 
Intuitively, two distributions can be related if we can pair the states in their 
support sets, the pairs contained in R, matching all the probabilities under the 
distributions. 

Consider an example with sRt and the transitions s — > fj,i and t — > \i% with 
Mi and /12 as in Figure[5Ja). In this case, one easy way to match the probabilities 
is to pair s\ with t\ and S2 with t^. This is sufficient if s\Rt\ and s 2 Rt 2 also 
hold, in which case, we say that Mi Eii M2- However, such a direct matching may 
not be possible in general, as is the case in Figure [SJb). One can still obtain a 
matching by splitting the probabilities under the distributions in such a way that 
one can then directly match the probabilities as in Figure [U[a). Now, if sxRt%, 
siRt 2 , s 2 i?t 2 and s 2 RH also hold, we say that mi C fl /z 2 . Note that there can be 
more than one possible splitting. This is the central idea behind the following 
definition where the splitting is achieved by a weight function. Let R C S\ x Si- 
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Definition 4 (|20j). \i\ C fl fi 2 iff there is a weight function w : Si x S 2 — > 
Q n [0, 1] such that 

1. /ii(si) = J2 S2 £S 2 w ( s i> s 2) for all si G Si, 

2. A*2(s 2 ) = J2 Sl eS! w(s!,s 2 ) for all s 2 G S 2 , 

3. w{s\,s 2 ) > implies siRs 2 for all s\ G Si, s 2 G S 2 . 

Mi Eii A*2 can be checked by computing the maxflow in an appropriate net- 
work and checking if it equals 1.0 PQ. If ^1 C fl \i 2 holds, w in the above definition 
is one such maxflow function. As explained above, fi\ \Z R /i 2 can be understood 
as matching all the probabilities (after splitting appropriately) under /ii and 
\i 2 . Considering Supp(fii) and Supp(fi 2 ) as two partite sets, this is the weighted 
analog of saturating a partite set in bipartite matching, giving us the following 
analog of the well-known Hall's Theorem for saturating Supp(fii). 

Lemma 1 ([H]). m C R ^ 2 iff for every S C Supp(^i), m(S) < /j, 2 (R(S)). 

It follows that when /ii %r fi 2 , there exists a witness S C Supp(fJ,i) such 
that /ii (5) > fi 2 (R(S)). For example, if i?(s2) = in Figure HJa), its probability 
5 under /ii cannot be matched and S — {s 2 } is a witness subset. 

Definition 5 (Strong Simulation |20j). R is a strong simulation iff for every 
s\Rs 2 and s\ [i\ there is a [i 2 with s 2 jj, 2 and \x\ fj, 2 . 

For S\ G Si and s 2 G S 2 , s 2 strongly simulates Si, denoted Si ^ s 2 , iff there 
is a strong simulation T such that siTs 2 . L 2 strongly simulates L\ t also denoted 
Li<L 2 , iffs\<s%. 

When checking a specification P of a system L with ap C a^, we implicitly 
assume that P is completed by adding Dirac self-loops on each of the actions 
in oil \ ap from every state before checking L < P . For example, L ^ P in 
Figure Q] assuming that P is completed with {send, ack}. Checking Li ^ L 2 is 
decidable in polynomial time |1|21] and can be performed with a greatest fixed 
point algorithm that computes the coarsest simulation between Li and L 2 . The 
algorithm uses a relation variable R initialized to Si x S2 and checks the condition 
in Definition [S] for every pair in i?, iteratively, removing any violating pairs from 
R. The algorithm terminates when a fixed point is reached showing Li ^ L 2 or 
when the pair of initial states is removed showing Li ^ L 2 . If n = max(|5i|, \S 2 \) 
and m = max(|ri|, |t"2 |), the algorithm takes 0((mn 6 + m 2 n 3 )/ \ogn) time and 
0(mn + n 2 ) space pQ. Several optimizations exist |21) but we do not consider 
them here, for simplicity. 

We do consider a specialized algorithm for the case that Li is a tree which we 
use during abstraction refinement (Sections |4] and [5]). It initializes R to S\ x S 2 
and is based on a bottom- up traversal of L\. Let si G Si be a non-leaf state 
during such a traversal and let si — > Ml- F° r every s 2 G S 2 , the algorithm checks 
if there exists s 2 — > /i 2 with /ii C fl ^ 2 and removes (si,s 2 ) from i?, otherwise, 
where R is the current relation. This constitutes an iteration in the algorithm. 
The algorithm terminates when (si, s 2 ) is removed from R or when the traversal 
ends. Correctness is not hard to show and we skip the proof. 
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Lemma 2 Q20J). < is a preorder (i.e. reflexive and transitive) and is compo- 
sitional, i.e. if L\ ^ L2 and a.2 C ax, then for every LPTS L, L\\\ L < L2 \\ L. 

Finally, we show the soundness and completeness of the rule ASym. The rule 
is sound if the conclusion holds whenever there is an A satisfying the premises. 
And the rule is complete if there is an A satisfying the premises whenever the 
conclusion holds. 

Theorem 1. For a a Q 012, the rule ASym is sound and complete. 

Proof. Soundness follows from Lemma [2] Completeness follows trivially by re- 
placing A with L,2- □ 



3 Counterexamples to Strong Simulation 

Let Li and L2 be two LPTSes. We characterize a counterexample to Li < L 2 as 
a tree and show that any simpler structure is not sufficient in general. We first 
describe counterexamples via a simple language-theoretic characterization. 

Definition 6 (Language of an LPTS). Given an LPTS L, we define its 
language, denoted C(L), as the set {L'\L' is an LPTS and L' ^ L}. 

Lemma 3. L x < L 2 iff C(L{) C C{L 2 ). 

Proof. Necessity follows trivially from the transitivity of < and sufficiency follows 
from the reflexivity of < which implies L\ £ C(Li). □ 

Thus, a counterexample C can be defined as follows. 

Definition 7 (Counterexample). A counterexample to L\ < L2 is an LPTS 
C such that C £ C(Li) \ £{L 2 ), i.e. C < L x but C £ L 2 . 

Now, L\ itself is a trivial choice for C but it does not give any more useful 
information than what we had before checking the simulation. Moreover, it is 
preferable to have C with a special and simpler structure rather than a general 
LPTS as it helps in a more efficient counterexample analysis, wherever it is 
used. When the LPTSes are restricted to LTSes, a tree-shaped LTS is known to 
be sufficient as a counterexample [5] . Based on a similar intuition, we show that 
a stochastic tree is sufficient as a counterexample in the probabilistic case. 

Theorem 2. If L\ ^. L2, there is a tree which serves as a counterexample. 

Proof. We only give a brief sketch of a constructive proof here. See Appendix 
for a detailed proof. Counterexample generation is based on the coarsest strong 
simulation computation from Section [2] By induction on the number of pairs not 
in the current relation R, we show that there is a tree counterexample to si ^ S2 
whenever (si, S2) is removed from R. We only consider the inductive case here. 
The pair is removed because there is a transition si A \i\ but for every S2 — > /i, 
f'l %R M *- e - there exists S[ l C Supp(ni) such that /xi(5f) > )). Such an 

Si can be found using Algorithm Q] Now, no pair in S'f x (Supp(fi) \ i?(5f )) is 
in R. By induction hypothesis, a counterexample tree exists for each such pair. 
A counterexample to si ^ S2 is built using \i\ and all these other trees. □ 



8 



A. Komuravelli et al. 



Algorithm 1 Finding T C Si such that m{T) > /i(i?(T)). 

Given fxi G Dist(Si), /x G Dist(S2), R C Si x S2 with /xi gfl ^. 

1: let / be a maxflow function for the flow network corresponding to [ii and zx 

2: find si G Si with ^ii(si) > J2 32 es 2 f( Sl > S2 ) anc ^ ^ = { Sj } 

3: while /n(T) < n(R{T)) do 

4: {si G Si|3s 2 G 7?(T) : /(si,s 2 ) > 0} 

5: end while 

6: return T 



For an illustration, see Figure [3] where C is a counterexample to Li ^ L2. 
Algorithm Q] is also analogous to the one used to find a subset failing Hall's 
condition in Graph Theory and can easily be proved correct. We obtain the 
following complexity bounds whose proof can be found in Appendix. 

Theorem 3. Deciding L\ -< L2 and obtaining a tree counterexample takes 
0(mn 6 + m 2 n 3 ) time and 0(mn + n 2 ) space where n = maxdSLj, \Sl 2 \) and 
m = max(|n|, |t 2 |). 

Note that the obtained counterexample is essentially a finite tree execution of 
L\. That is, there is a total mapping M : Sc — > Si such that for every transition 
c A fi c of C, there exists M(c) A fii such that M restricted to Supp(fi c ) is an 
injection and for every c' G Supp([j, c ), /i c (c') = /Ji(M(c')). M is also a strong 
simulation. We call such a mapping an execution mapping from C to L\. Figure 
[3] shows an execution mapping in brackets beside the states of C. We therefore 
have the following corollary. 

Corollary 1. If Li is reactive and L\ -fc. L2, there is a reactive tree which serves 
as a counterexample. 

The following two lemmas show that (reactive) trees are the simplest struc- 
tured counterexamples (proofs in Appendix). 

Lemma 4. There exist reactive LPTSes R\ and R2 such that R\ ^ R2 and no 
counterexample is fully-probabilistic. 

Thus, if L\ is reactive, a reactive tree is the simplest structure for a counterex- 
ample to L\ -< L,2- This is surprising, since the non-probabilistic counterpart of a 
fully-probabilistic LPTS is a trace of actions and it is known that trace inclusion 




Fig. 3: C is a counterexample to L\ -< L2. 
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Fig. 5: An assumption for Li, L2 and P 
Fig. 4: An LPTS L, partition 77 = {ci,c a } in Figured] 
and the quotient L/IJ. 

coincides with simulation conformance between reactive (i.e. deterministic) LT- 
Ses. If there is no such restriction on L\, one may ask if a reactive LPTS suffices 
as a counterexample to L\ < L^. That is not the case either, as the following 
lemma shows. 

Lemma 5. There exist an LPTS L and a reactive LPTS R such that L R 
and no counterexample is reactive. 



4 CEGAR for Checking Strong Simulation 

Now that the notion of a counterexample has been formalized, we describe a 
CounterExample Guided Abstraction Refinement (CEGAR) approach [6] to 
check L < P where L and P are LPTSes and P stands for a specification of 
L. We will use this approach to describe AGAR in the next section. 

Abstractions for L are obtained using a quotient construction from a partition 
LI of Sl- We let LI also denote the corresponding set of equivalence classes and 
given an arbitrary s £ S, let [s]n denote the equivalence class containing s. The 
quotient is an adaptation of the usual construction in the non-probabilistic case. 

Definition 8 (Quotient LPTS). Given a partition LI of Sl, define the quo- 
tient LPTS, denoted L/LL, as the LPTS (77, [s L ]n ,o<l,t} where (c, a, fii) S t iff 
(s, a, /i) G tx for some s G Sl with s G c and 111(d) — J2tec' f or a ^ c ' ^ H. 

As the abstractions are built from an explicit representation of L, this is not 
immediately useful. But, as we will see in Sections [5] and [6j this becomes very 
useful when adapted to the assume-guarantee setting. 

Figure [4] shows an example quotient. Note that L < 7/77 for any partition 
77 of Sl (proof in Appendix), with the relation R = {(s,c)\s G c, c G 77} as a 
strong simulation. 

CEGAR for LPTSes is sketched in Algorithm [2] It maintains an abstraction 
A of L, initialized to the quotient for the coarsest partition, and itcrativcly 
refines A based on the counterexamples obtained from the simulation check 
against P until a partition whose corresponding quotient conforms to P w.r.t. 
< is obtained, or a real counterexample is found. In the following, we describe 
how to analyze if a counterexample is spurious, due to abstraction, and how to 
refine the abstraction in case it is (lines 4 — 6). Our analysis is an adaptation of 
an existing one for counterexamples which are arbitrary sub- structures of A [3] ; 
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Algorithm 2 CEGAR for LPTSes: checks L <P 

1: A <— L/IJ, where 77 is the coarsest partition of Sl 

2: while A y< P do 

3: obtain a counterexample C 

4: (spurious, A') analyzeAndRefine(C, A, L) {see text} 
5: if spurious then 
6: A <- A' 
7: else 

8: return counterexample C 

9: end if 
10: end while 
11: return L < P holds 



while our tree counterexamples have an execution mapping to A, they are not 
necessarily sub-structures of A. 

Analysis and Refinement (analyze AndRefine()) . Assume that 77 is a par- 
tition of Sl such that A = L/LT and A ^ P. Let C be a tree counterexample 
obtained by the algorithm described in Section El i.e. C -< A but C ^ P. As 
described in Section [3l there is an execution mapping M : Sc — > Sa which 
is also a strong simulation. Let Rm C Sc X Sl be {(si, S2)\siM[s2]ji}- Our 
refinement strategy tries to obtain the coarsest strong simulation between C 
and L contained in Rm, using the specialized algorithm for trees described in 
Section [2] with Rm as the initial candidate. Let R and R id be the candidate 
relations at the end of the current and the previous iterations, respectively, and 
let si — > fix be the transition in C considered by the algorithm in the current 
iteration. (R u is undefined initially.) The strategy refines a state when one of 
the following two cases happens before termination and otherwise, returns C as 
a real counterexample. 

1. R(s\) = 0. There are two possible reasons for this case. One is that the states 
in Supp(fii) are not related, by R, to enough number of states in Sl (i.e. 
Ill is spurious) and (the images under M of) all the states in Supp(fii) are 
candidates for refinement. The other possible reason is the branching (more 
than one transition) from s\ where no state in Rm(s\) can simulate all the 
transitions of s\ and M(s±) is a candidate for refinement. 

2. M(si) = [s° L ] n , s° L £ Roid(si)\R(si) and R(s 1 ) j= 0, i.e. M(s x ) is the initial 
state of A but s\ is no longer related to s L by 7?. Here, M(s\) is a candidate 
for refinement. 

In case 1, our refinement strategy first tries to split the equivalence class 
M(s\) into Roid(si) and the rest and then, for every state s 6 Supp([ii), tries 
to split the equivalence class M(s) into R id{s) and the rest, unless M(s) = 
M(s\) and M(s\) has already been split. And in case 2, the strategy splits the 
equivalence class M(si) into R id(si) \ R(si) and the rest. It follows from the 
two cases that if C is declared real, then C < L with the final R as a strong 



AGAR for Probabilistic Systems 



11 



simulation between C and L and hence, C is a counterexample to L ■< P. The 
following lemma (proof in Appendix) shows that the refinement strategy always 
leads to progress. 

Lemma 6. The above refinement strategy always results in a strictly finer par- 
tition n' < n. 

5 Assume-Guarantee Abstraction Refinement 

We now describe our approach to Assume-Guarantee Abstraction Refinement 
(AGAR) for LPTSes. The approach is similar to CEGAR from the previous 
section with the notable exception that counterexample analysis is performed 
in an assume guarantee style: a counterexample obtained from checking one 
component is used to refine the abstraction of a different component. 

Given LPTSes Li, and P, the goal is to check L\ || L2 ^ P in an assume- 
guarantee style, using rule ASym. The basic idea is to maintain A in the rule 
as an abstraction of L 2 , i.e. the second premise holds for free throughout, and 
to check only the first premise for every A generated by the algorithm. As in 
CEGAR, we restrict A to the quotient for a partition of 82- If the first premise 
holds for an A, then L\ || L2 r< P also holds, by the soundness of the rule. 
Otherwise, the obtained counterexample C is analyzed to see whether it indicates 
a real error or it is spurious, in which case A is refined (as described in detail 
below). Algorithm [3] sketches the AGAR loop. 

For an example, A in Figure [5] shows the final assumption generated by 
AGAR for the LPTSes in Figure [1] (after one refinement). 

Algorithm 3 AGAR for LPTSes: checks L x || L 2 < P 

1: A <— coarsest abstraction of L2 

2: while L x \\ A £ P do 

3: obtain a counterexample C 

4: obtain projections C \l 1 and C \a 

5: (spurious, A') analyzeAndRefine(C \a,A,L%) 

6: if spurious then 

7: A*- A' 

8: else 

9: return counterexample C 
10: end if 
11: end while 

12: return Li || L 2 < P holds 



Analysis and Refinement. The counterexample analysis is performed com- 
positionally, using the projections of C onto L\ and A. As there is an execution 
mapping from C to L\ || A, these projections are the contributions of L\ and A 
towards C in the composition. We denote these projections by C \l 1 and C \a, 
respectively. In the non-probabilistic case, these are obtained by simply project- 
ing C onto the respective alphabets. In the probabilistic scenario, however, com- 
position changes the probabilities in the distributions (Definition[2]) and alphabet 
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projection is insufficient. For this reason, we additionally record the individual 
distributions of the LPTSes responsible for a product distribution while perform- 
ing the composition. Thus, projections C \l x and C \a can be obtained using 
this auxiliary information. Note that there is a natural execution mapping from 
C \a to A and from C \l x to Li. We can then employ the analysis described in 
Section 0] between C \a and A, i.e. invoke analyzeAndRefine(C \a,A, L 2 ) to de- 
termine if C \a (and hence, C) is spurious and to refine A in case it is. Otherwise, 
C L 2 and hence, (C \ A ) a2 < L 2 . Together with (C \ Ll ) ai d L\ this implies 
(C \ Ll )<*i II (C \ A ) a2 1 L x II L 2 (Lemma©. As C ± (C \ Ll ) ai II (C \ A ) a \ C is 
then a real counterexample. Thus, we have the following result. 

Theorem 4 (Correctness and Termination). Algorithm AGAR always ter- 
minates with at most \S 2 \ — 1 refinements and L\ || L 2 ~£ P if and only if the 
algorithm returns a real counterexample. 

Proof. Correctness: AGAR terminates when either Premise 1 is satisfied by the 
current assumption (line 12) or when a counterexample is returned (line 9). In 
the first case, we know that Premise 2 holds by construction and since ASym 
is sound (Theorem [1]) it follows that indeed L\\\L 2 -< P. In the second case, the 
counterexample returned by AGAR is real (see above) showing that L\ || L 2 P. 

Termination: AGAR iteratively refines the abstraction until the property 
holds or a real counterexample is reported. Abstraction refinement results in a 
finer partition (Lemma [6]) and thus it is guaranteed to terminate since in the 
worst case A converges to L 2 which is finite state. Since rule ASym is trivially 
complete for L 2 (proof of Theorem [T]) it follows that AGAR will also terminate, 
and the number of refinements is bounded by \S 2 \ — 1. □ 

In practice, we expect AGAR to terminate earlier than in | «S*2 1 — 1 steps, with 
an assumption smaller than L 2 . AGAR will terminate as soon as it finds an as- 
sumption that satisfies the premises or that helps exhibit a real counterexample. 
Note also that, although AGAR uses an explicit representation for the individual 
components, it never builds L\ || L 2 directly (except in the worst-case) keeping 
the cost of verification low. 

Reasoning with n > 2 Components. So far, we have discussed compositional 
verification in the context of two components L\ and L 2 . This reasoning can be 
generalized to n > 2 components using the following (sound and complete) rule. 

l:Li\\A x <P 2:L 2 \\A 2 <A 1 ... n:L n <A n ^ 
— (ASym-N) 

IILi L i ± p 

The rule enables us to overcome the intermediate state explosion that may be 
associated with two-way decompositions (when the subsystems are larger than 
the entire system). The AGAR algorithm for this rule involves the creation of 
n — 1 nested instances of AGAR for two components, with the ith instance com- 
puting the assumption Aj for (L\ || • • • || Li) || (L i+ i \\ A i+1 ) < P. When the 
AGAR instance for returns a counterexample C, for 1 < i < n — 1, we 

need to analyze C for spuriousness and refine Ai in case it is. From Algorithm 
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[3j C is returned only if analyzeAndRejine(C tA«_u A4-I1 Li j Ai) concludes that 
C is real (note that Ai_\ is an abstraction of Li \\ Ai). From analyzeAn- 

dRefine in Section 01 this implies that the final relation R computed between the 
states of C \A t -i and Li || Ai is a strong simulation between them. It follows 
that, although C \a,-i does not have an execution mapping to Li \\ Ai, we can 
naturally obtain a tree T using C \Ai-11 via Ri with such a mapping. Thus, we 
modify the algorithm to return T \a { at line 9, instead of C, which can then be 
used to check for spuriousness and refine Ai. Note that when Ai is refined, all 
the Aj's for j < i need to be recomputed. 

Compositional Verification of Logical Properties. AGAR can be further 
applied to automate assume-guarantee checking of properties written as for- 
mulae in a logic that is preserved by strong simulation such as the weak-safety 
fragment of probabilistic CTL (pCTL) [3j which also yield trees as counterex- 
amples. The rule ASym is both sound and complete for this logic (|= denotes 
property satisfaction) for a a ^ c*2 with a proof similar to that of Theorem Q] 

1 : L x || A \= </> 2:L 2 <A 

Li flTF4> 

A can be computed as a conservative abstraction of L 2 and iteratively refined 
based on the tree counterexamples to premise 1, using the same procedures as 
before. The rule can be generalized to reasoning about n > 2 components as 
described above and also to richer logics with more general counterexamples 
adapting existing CEGAR approaches [3] to AGAR. We plan to further investi- 
gate this direction in the future. 

6 Implementation and Results 

Implementation. We implemented the algorithms for checking simulation (Sec- 
tion [5]) , for generating counterexamples (as in the proof of Lemma [5]) and for 
AGAR (Algorithm [3]) with ASym and ASym-N in Java™ . We used the front- 
end of PRISM's [15] explicit-state engine to parse the models of the components 
described in PRISM's input language and construct LPTSes which were then 
handled by our implementation. 

While the Java™ implementation for checking simulation uses the greatest 
fixed point computation to obtain the coarsest strong simulation, we noticed 
that the problem of checking the existence of a strong simulation is essentially a 
constraint satisfaction problem. To leverage the efficient constraint solvers that 
exist today, we reduced the problem of checking simulation to an SMT problem 
with rational linear arithmetic as follows. For every pair of states, the constraint 
that the pair is in some strong simulation is simply the encoding of the condition 
in Definition [SJ For a relevant pair of distributions \x\ and /X2, the constraint for 
Mi ^=R P"i i s encoded by means of a weight function (as given by Definition 2]) 
and the constraint for [i\ %b. A*2 is encoded by means of a witness subset of 
Supp(ni) (as in Lemma [lj, where R is the variable for the strong simulation. 
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Example 






ASym 


ASym-N 


Mono 


{param) 


\L\ 




\Lx\ 




Time 


Mem 


\Lm\ 


\A M \ 


|ic| 


Time 


Mem 


\Lm\ 


\A M \ 


Time 


Mem 


CStib) 


94 


16 


36 


405 


7.2 


15.6 


182 


33 


36 


74.0 


15.1 


182 


34 


0.2 


8.8 


CSi(6) 


136 


19 


49 


1215 


11.6 


22.7 


324 


41 


49 


810.7 


21.4 


324 


40 


0.5 


12.2 


CSi(7) 


186 


22 


64 


3645 


37.7 


49.4 


538 


56 


64 


out 








0.8 


17.9 


CSn(2) 


34 


15 


25 


9 


0.7 


7.1 


51 


7 


9 


2.4 


6.8 


40 


25 


0.1 


5.9 


CS N (3) 


184 


54 


125 


16 


43.0 


63.0 


324 


12 


16 


1.6k 


109.6 


372 


125 


14.8 


37.9 


CS N (4) 


960 


189 


625 


25 


out 








25 


out 








1.8fe 


667.5 


MER (3) 


16k 


12 


278 


1728 


2.6 


19.7 


706 


7 


278 


3.6 


14.6 


706 


7 


193.8 


458.5 


MER (4) 


120/c 


15 


465 


21fc 


15.0 


53.9 


Ik 


11 


465 


34.7 


37.8 


2 k 


11 


out 




MER. (5) 


841/c 


18 


700 


250fe 




out 1 






700 


257.8 


65.5 


3.3k 


16 




out 1 


SN (1) 


462 


18 


43 


32 


0.2 


6.2 


43 


3 


126 


1.7 


8.5 


165 


6 


1.5 


27.7 


SN (2) 


7860 


54 


796 


32 


79.5 


112.9 


796 


3 


252 


694.4 


171.7 


1.4fc 


21 


4.7fe 


1.3k 


SN (3) 


78fc 


162 


7545 


32 


out 








378 


7.2fe 


528.8 


1.4k 


21 




out 



Table 1: AGAR vs monolithic verification. Mem-out during model construction. 



We use Yices (vl.0.29) [9] to solve the resulting SMT problem; a real variable in 
Yices input language is essentially a rational variable. There is no direct way to 
obtain a tree counterexample when the SMT problem is unsatisfiablc. Therefore 
when the conformance fails, we obtain the unsat core from Yices, construct 
the sub-structure of L\ (when we check L\ < L2) from the constraints in the 
unsat core and check the conformance of this sub-structure against L2 using the 
Java™ implementation. This sub-structure is usually much smaller than L\ and 
contains only the information necessary to expose the counterexample. 

Results. We evaluated our algorithms using this implementation on several ex- 
amples analyzed in previous work Some of these examples were created 
by introducing probabilistic failures into non-probabilistic models used earlier 
[T9] while others were adapted from PRISM benchmarks [15]. The properties 
used previously were about probabilistic reachability and we had to create our 
own specification LPTSes after developing an understanding of the models. The 
models in all the examples satisfy the respective specifications. We briefly de- 
scribe the models and the specifications below, all of which are available at 
: //www. cs . emu. edu/~akomurav/publications/agar /AGAR. html 



CS\ and CSm model a Client-Server protocol with mutual exclusion having 
probabilistic failures in one or all of the N clients, respectively. The specifi- 
cations describe the probabilistic failure behavior of the clients while hiding 
some of the actions as is typical in a high level design specification. 

MER models a resource arbiter module of NASA's software for Mars Explo- 
ration Rovers which grants and rescinds shared resources for several users. 
We considered the case of two resources with varying number of users and 
probabilistic failures introduced in all the components. As in the above ex- 
ample, the specifications describe the probabilistic failure behavior of the 
users while hiding some of the actions. 

SN models a wireless Sensor Network of one or more sensors sending data and 
messages to a process via a channel with a bounded buffer having proba- 
bilistic behavior in the components. Creating specification LPTSes for this 
example turned out to be more difficult than the above examples, and we 
obtained them by observing the system's runs and by manual abstraction. 
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Table Q] shows the results we obtained when ASym and ASym-N were com- 
pared with monolithic (non-compositional) conformance checking. \X\ stands 
for the number of states of an LPTS X. L stands for the whole system, P for 
the specification, Lm for the LPTS with the largest number of states built by 
composing LPTSes during the course of AGAR, Am for the assumption with 
the largest number of states during the execution and L c for the component 
with the largest number of states in ASym-N. Time is in seconds and Memory 
is in megabytes. We also compared \Lm\ with \L\, as \Lm\ denotes the largest 
LPTS ever built by AGAR. Best figures, among ASym, ASym-N and Mono, 
for Time, Memory and LPTS sizes, are boldfaced. All the results were taken on a 
Fedora-10 64-bit machine running on an Intel® Core™2 Quad CPU of 2.83GHz 
and 4GB RAM. We imposed a 2GB upper bound on Java heap memory and a 2 
hour upper bound on the running time. We observed that most of the time dur- 
ing AGAR was spent in checking the premises and an insignificant amount was 
spent for the composition and the refinement steps. Also, most of the memory 
was consumed by Yices. We tried several orderings of the components (the Lj's 
in the rules) and report only the ones giving the best results. 

While monolithic checking outperformed AGAR for Client-Server, there are 
significant time and memory savings for MER and Sensor Network where in 
some cases the monolithic approach ran out of resources (time or memory). 
One possible reason for AGAR performing worse for Client- Server is that \L\ 
is much smaller than \L\\ or Z^l- When compared to using ASym, ASym-N 
brings further memory savings in the case of MER and also time savings for 
Sensor Network with parameter 3 which could not finish in 2 hours when used 
with ASym. As already mentioned, these models were analyzed previously with 
an assume-guarantee framework using learning from traces |11) . Although that 
approach uses a similar assume-guarantee rule (but instantiated to check prob- 
abilistic reachability) and the results have some similarity (e.g. Client-Server is 
similarly not handled well by the compositional approach), we can not directly 
compare it with AGAR as it considers a different class of properties. 

7 Conclusion and Future Work 

We described a complete, fully automated abstraction-refinement approach for 
assume-guarantee checking of strong simulation between LPTSes. The approach 
uses refinement based on counterexamples formalized as stochastic trees and 
it further applies to checking sa/e-pCTL properties. We showed experimentally 
the merits of the proposed technique. We plan to extend our approach to cases 
where the assumption A has a smaller alphabet than that of the component 
it represents as this can potentially lead to further savings. Strong simulation 
would no longer work and one would need to use weak simulation [20j , for which 
checking algorithms are unknown yet. We would also like to explore symbolic 
implementations of our algorithms, for increased scalability. As an alternative 
approach, we plan to build upon our recent work [14] on learning LPTSes to 
develop practical compositional algorithms and compare with AGAR. 
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A Proof of Lemma [2] 

We first show that X is a preorder. Reflexivity can be easily proved by showing 
that the identity relation is a strong simulation. We only consider transitivity. 
Let L\ < L2 and L2 r< £3. Thus, there are strong simulations R12 C Si x S2 and 
R23 tS 2 x 53. Consider the relation R = {(s%, S3)\3s2 ■ S1R12S2 and 52-^2353}- 
Let S1RS3 and si A- /ii. Also, let S2 G S2 be such that S1-R12S2 and S2i?23S3- 
As R12 is a strong simulation, there exists S2 — > M2 with /xi Cfl 12 ^2. Again, 
as i?23 is a strong simulation, there exists S3 A- /i3 with \i2 Efl 23 M3- Now, let 
S C Supp(m) be arbitrary. We have < /j, 2 (Ri 2 (S)) < ^3(^23 (#12 (£))) = 

fj,3(R(S)) (Lemma[T]). Thus, /ii C_r /13 and hence, i? is a strong simulation. Also, 
s^Rs® by definition of i?. We conclude that L\ < L3. 

Now, we show that ^ is compositional. Assume L\ < L2 with a.2 Q ot\. Let 
R12 C 5i x S 2 be a strong simulation. Consider the relation R defined below. 

R = {((si, s), (s 2 ,s))\siRi2S2 and s G S'l} 

Let (si, s)R(s 2 , s) and (si,s) A /i a - So, S1-R12S2. By Definition [3l there are 
three cases to analyze. 

«i -4 /ii, s -4 /i and fi a = pb\ <g> fi : As i?i2 is a strong simulation, there 
exists S2 — > M2 with ^ti C_r 12 \i2- And by Definition [3l (s2,s) — > /i^ where 
p! a —P"i® M- Now, let X C Supp(/i a ). For each s G <Sl, let C A contain 
all the pairs of X with s as the second member. Thus, the A s 's partition X . 
We have /x a (X) 

= Yl ^ Xs x W) 

= /ii(A s ) • (ti(s) definition of /i a 

< ^ M2(^12(A S )) • /i(s) i?i2 is a strong simulation 

= Y ^'a( R i2(X s ) x {s}) definition of fi' a 

seS L 

= Y ^'a(R( x s x {s})) definition of R 

ses L 

~ Vai U ^(A s x {s})) the sets i?(A s x {s}) are disjoint for distinct s 

seS L 

= n' a (R(\J X s x{s})) 
ses L 

which implies that fi a \Z R (i' a . 
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a ^ oti, s fi and fj, a = 5 S1 (gi fi : As a 2 Q oei, a $ a 2 and by Definition |3l 
(s2, s) A ^ with ^ = 5 S2 (8>/i. Now, let X C Supp(fj, a ) and let X 2 denote the 
set of all the second members of the pairs in X . We have fi a (X) = fi(X 2 ) = 
fJ,' a ({s 2 } x A 2 ) < n' a (R(X)) and hence, /u ju' tt . 

si A /ii, a g" ah and /i a = /ii ® S s : As i?i 2 is a strong simulation, there exists 
s 2 — > with /ii Cfl 12 /i 2 . Now, let X C Supp(p a ) and let ATi denote the 
set of all the first members of the pairs in X. We have fJ. a (X) = fii(Xi) < 
IJ,2(Ru(Xi)) = n' a (R(X)) and hence, fi a C fi fi' a . 

Hence, R is a strong simulation. Also, (si, s L )R(s 2 , s L ) by definition of R. 
We conclude that Li [[ L -< L 2 \\ L. □ 

B Proof of Theorem [2] 

We give a constructive proof. Assume that L\ ^ L 2 . 

We first describe, briefly, a well-known algorithm used to check L\<L 2 pQ. 
We start with a candidate i? for the coarsest strong simulation between L\ and 
L 2 initialized to Si x Each iteration, an arbitrary pair (si, s 2 ) in the current 
R is picked and the local conditions in the definition of a strong simulation 
(Definition [5]) are checked for R. If the pair fails, that is because there is a 
transition si A- /ii but for every s 2 A /i 2 , /ii M2- In this case, the pair is 
removed and another iteration begins. Note that, at this point we can conclude 
that s\ s 2 . Otherwise, a new pair is picked for examination. The algorithm 
stops when (s?, s 2 ) (the pair of the initial states) is removed from the current R 
at which point we conclude that L\ ^ L 2 , or when a fixed point is reached and 
we conclude that L% <L 2 . By the correctness and termination of this algorithm, 
this will eventually happen. And by the assumption made above that L\ L 2 , 
we are only interested in the former scenario of termination. 

We show that whenever a pair (s±, s 2 ) is removed from R, there is a tree Ti 2 
which serves as a counterexample to si ^ s 2 . As argued above, (s°, s 2 ) is eventu- 
ally removed from R and hence, we have a tree T which serves a counterexample 
to si ^ s 2 and therefore, to the conformance. We proceed by strong induction 
on the number of pairs removed so far from the initial R = Si x S 2 . 

The base case is when no pair has been removed so far. In this case, (si, s 2 ) 
will be removed only because there is a transition si A- /ii and there is no 
transition on action a from s 2 . Then, a counterexample will simply be the tree 
T12 representing the transition si — > \x\. It is easy to see that T\ 2 -< {L\, s\) but 
T12 ii (L 2 ,s 2 ). 

For the inductive case, assume that a new pair (si,s 2 ) has been removed 
from the current R. We have to analyze two cases. The first case is when we 
have a transition si — > /ii but there is no transition s 2 — > fi 2 . This is similar to 
the base case above. So, we will only consider the other case below. 

Now, there is a transition s\ — > fi\ and the set A = {/x G Dist(S 2 )\s 2 — > /j,} 
is non-empty but for every /1 G A, \i\ %r fi. Consider an arbitrary fi G A. 
Because /ii %r /i, we conclude that there is a set S± C Supp(ni) such that 
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Hi(Si) > [i(R(Si)) (Lemma [I]). Intuitively, this is because is not related to 
enough number of states from Supp(p). Let S 2 = Supp(fi) \ R(Si). 

We start building a tree T\% with s\ as the root and s\ A- /ii as the only 
outgoing transition. Now, let s e U^ezi Consider the set U s — \J{S% I s e 
Then, for every t £ U s , we simply attach the counterexample tree for (s, t) (exists 
by induction hypothesis) below the state s in T\ 2 . We claim that T\i built this 
way is a counterexample to si < s 2 . 

First of all, it is easy to see that T\i < (L\ 1 sy) as T\ 2 is obtained from the 
states and the corresponding distributions of L\. Let /i G A and let R' be a 
strong simulation between Tyi and L 2 . By construction, S± C Supp(ni) and 
further, by induction hypothesis for every (s, t) e 5f x , (T 12 , s) ^ (£2, i) and 
hence, (s,t) £ R'. Therefore Hi(S%) > //(i?(5f)) > /^(^'(S'f )) . It follows that 
Mi M an( i hence, (si,S2) i?'. As fi and i?' are arbitrary, we conclude that 
T12 Z< (i 2 , s 2 ). □ 

C Proof of Theorem U 

It can be easily be seen that Algorithm Q] takes 0(n 3 ) time and 0(n) space which 
increases the complexity of checking \i\ \Z R /i 2 to 0(n 3 ) time and 0{n 2 ) space 
(see Section [2]). The rest of the argument is similar to that of the fixed point 
algorithm for computing the coarsest strong simulation [I] . □ 

D Proof of Lemma [4] 




Fig. 6: An example where there is no fully-probabilistic counterexample. 



Consider the two reactive LPTSes R\ and R2 in Figure [B] The states along 
with the outgoing actions and distributions are labeled as in the figure. Clearly 
T11 7^ r 2i and m ^ r 23 . It follows that fi 10 %-< /X20 and hence, R\ ^ R 2 . We are 
interested in a counterexample to demonstrate this. 

Let us assume that there is a fully-probabilistic LPTS C (with initial state 
cq) which serves as a counterexample. Thus, C < R\ but C ^ R 2 . By Definition 
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[5]thcre exists a strong simulation U such that (co, rio) G U. If Co has no outgoing 
transitions, clearly C ■< i?2- So, it must have an outgoing distribution, say [1q. 
As (cc^io) G [/ and as /xio is labeled by x, /j,o must be labeled by x too. Let 
ci be an arbitrary state in Supp(fio) with an outgoing transition (there may be 
no such ci). Then, the transition must be labeled by y or z. Otherwise, clearly 
(ci,r*ii) ^ U and (ci,ri 2 ) ^ U which imply /i 2(7 A*io and hence, (co,ri ) ^ U 
contradicting the assumption. Moreover, {ci,r\2) U as ri2 has no transitions. 
This forces (ci,rn) to be in [/. Let the (only) outgoing distribution /ii of ci be 
labeled by y. Then, for every state c 2 G Supp(pi), (02,^13) e £/ for otherwise 
A*i %u Miio which implies (ci,rn) ^ [/ leading to a contradiction. This forces 
C2 to not have any transitions. We have the same conclusion if \x\ is labeled by 
z instead. 

Thus, C can only be a tree with exactly one transition fiQ labeled by x from 
the initial state and for every state in the support of this distribution, there is 
at most one transition labeled by either y or z. Also, if S y and S z are the sets 
of states in Supp(fio) with a transition labeled by y and z, respectively, then 
/io(Sy U S z ) < \. This is because, U(S y U S z ) — {r n } and ^io( r n) = \- 

Now, we define a relation V between the states of C, Sc, and that of R2, 
S2. The initial states are related. Let c be an arbitrary state of C. If c has no 
transitions it is related to every state of i?2. If c has its transition labeled by 
y, it is related to r<2\ and r22- Otherwise its transition is labeled by z and it 
is related to r22 and r23. To show that V is a strong simulation, the only non- 
trivial thing to consider is whether /j,q Cy fi 2 o- For that, take an arbitrary set 
X C Supp(fio). If X has any state with no transitions, V(X) = S2 and hence 
Ho(X) < H2o(V(X)) = 1. Otherwise, X only has states with transitions labeled 
by y or z, i.e. X C S y US z , and by the observation made in the above paragraph, 
M x ) < \ whereas fj, 20 {V(X)) > |. Thus, fi (X) < /j, 20 (V(X)). This shows that 
V is a strong simulation and we conclude that C ^ R2 immediately giving us a 
contradiction to the assumption that C is a counterexample. □ 

E Proof of Lemma [5] 

Consider the LPTS L and the reactive LPTS R in Figure[7] The states along with 
the outgoing actions and distributions are labeled as in the figure. By similar 
arguments as made in the proof of Lemma IU one can show that /ino /X23, 
Mm M21 whereas ^n ^21,^22 and (Mm ^ ^22,^23- All these imply 
that L R. We are interested in a counterexample to show this. 

Assume that a reactive LPTS C exists which serves as a counterexample. 
Again, similar to the arguments made in the proof of Lemma |4j one can show 
that C can only be a tree with exactly one transition fiQ labeled by x from the 
initial state and for every state in Supp(pLQ), there is at most one distribution 
labeled by y (because In has transitions on no other action). Furthermore, if any 
state in the support of this distribution has any transitions, all the transitions 
from all the states in the support will be labeled by the same action and that 
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Fig. 7: There is no reactive counterexample to L ^ R. 



too, by either z or w. Then, if S y is the set of states in Supp(p,o) with outgoing 
distributions (which should only be labeled by y) then fj, (S y ) < i. 

Now, we define a relation V C Sc x S2, where Sc is the set of states of C, 
in a similar fashion. All the states in C with no transitions are related to every 
state in 52- The initial states are related. For every other state c, if it has a 
transition labeled by z or w, c is related to all the states having a transition on z 
or w, respectively and if it is labeled by y, it is related to r<2\ (V23) and r22 if the 
states in the support have transitions on z (w) and to all three of r2i, ^22 and 
r23 otherwise. One can similarly show that V is a strong simulation implying 
C ■< R. This contradicts the assumption that C is a counterexample. □ 

F Quotient is an Abstraction : L ^ L/TI 

It suffices to show that R = {(s, c)\s <E c, c 6 77} is a strong simulation between L 
and 7/77. Let s7?c and s — > /m. As s € c, there exists a transition, by Definition|8l 
c A- /i; such that for every c' S 77, /i;(c') = X) S 'ec' / i ( s ')- Let 5 C 5^. Now, fi(S) 

= E m*') 

s'es 

= E E 
< E 

c'eR.(S) s'ec' 

= E ^( c ') 

c'eR(s) 
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As S is arbitrary, this implies from Lemma[T]that fi \Z R Note that s i j j R[s a L \. 
We conclude that L < L/II. □ 

G Proof of Lemma [6] 

Let si, jUi and M be as in Section |4j Consider the first case where R(s±) = 0. 
If Roid(si) = Rm(si), it follows that there exists s G Supp(ni) with R id(s) C 
Rm(s)- This can be easily proved by contradiction and we omit this proof. As 
M(s) is split into R id(s) and the rest, the strategy results in a finer partition. 
Otherwise, R id(si) is a strict subset of Rm(si) and as i?(si) = 0, the strategy 
splits M(s\) into R id{si) and the rest which also results in a finer partition. 

Now, consider the second case where R(si) ^ 0, M(si) = [s^Jtt and £ 
Roid(si) \ R(si). It follows that R id(si) \ R(si) is a non-empty, proper subset 
of Rm{si) and hence, this also results in a finer partition. □ 



